...
Metadata signature verification is done against the public key alone. If the public key for the federation metadata feed channel is supplied in the form of an X.509 certificate, other aspects of the certificate such as its expiry date do not form part of signature verification. This approach is borrowed from the SAML metadata interoperability profile [SAMLMetaIoP] (url?). In particular an expired certificate will still be used for the verification purpose. (Some text is missing to introduce next table)
Metadata signature verification includes following checks:
Condition evaluated | Reason | |
|---|---|---|
S1 | The signature exists and is valid | eduGAIN-profile] section 4 |
S2 | The signature can be validated with the public key configured for the federation metadata channel | [eduGAIN-profile] section 4 |
| S3 | The signature was made using an explicit ID reference, not an empty reference | [eduGAIN-profile] section 4 |
| S4 | The signature reference refers to the document element | [eduGAIN-profile] section 4 |
| S5 | The signature's digest algorithm is at least as strong as SHA-256, and does not use MD5 | [eduGAIN-profile] section 4 |
| S6 | The signature's signature method is RSA with an associated digest at least as strong as | [eduGAIN-profile] section 4 |
| S7 | The signature's transforms contain only these permissible values:
| [eduGAIN-profile] section 4 |
| S8 | RSA/EC key used to sign metadata is at least 2048/256 bits in length | [eduGAIN-profile] section 4 |
...